Replace deSEC with Mythic Beasts as DNS provider

I have now moved all servers' nameservers to Mythic Beasts. Replace the old
deSEC requests to ones to Mythic Beasts.

1 files changed, 104 insertions, 130 deletions

diff --git a/playbook.yaml b/playbook.yaml
index 9cc207d..2fbaa56 100644
--- a/playbook.yaml
+++ b/playbook.yaml
@@ -90,121 +90,113 @@
      ansible.builtin.set_fact:
       dane_hash: "{{ dane_result.stdout }}"
 
-   # We allow status code 400 here as this is returned by deSEC if the domain
-   # already exists. Ideally, we should filter out genuinely good/bad requests
-   # here using the response.
-   - name: Ensure domain exists in deSEC
+   - name: Ensure common records exist
      ansible.builtin.uri:
-      url: https://desec.io/api/v1/domains/
-      method: POST
-      status_code: [201, 400]
-      body_format: json
-      headers:
-       Authorization: Token {{ desec_token }}
-      body:
-       name: "{{ virtual_host }}"
-     register: request
-     delegate_to: localhost
-
-   - name: Ensure domain is registered
-     ansible.builtin.uri:
-      url: https://desec.io/api/v1/domains/{{ virtual_host }}/
-      method: GET
-      headers:
-       Authorization: Token {{ desec_token }}
-     register: domain
-     delegate_to: localhost
-
-   - name: Ensure domain to register DS record is registered
-     ansible.builtin.uri:
-      url: https://desec.io/api/v1/domains/?owns_qname={{ parent_host }}
-      method: GET
-      headers:
-       Authorization: Token {{ desec_token }}
-     register: parent_domain
-     delegate_to: localhost
-
-   - name: Ensure DS is registered in parent domain
-     ansible.builtin.uri:
-      url: "https://desec.io/api/v1/domains/{{ domain_with_ds }}/rrsets/"
+      url: "https://api.mythic-beasts.com/dns/v2/zones/{{ domain }}/records\
+       ?select=host%3Dchat{{ env_suffix }}%26type%3DA\
+       &select=host%3Dchat{{ env_suffix }}%26type%3DAAAA\
+       &select=host%3Dconference{{ env_suffix }}%26type%3DCNAME\
+       &select=host%3Dupload{{ env_suffix }}%26type%3DCNAME\
+       &select=host%3D_xmpp-client._tcp{{ env_suffix }}%26type%3DSRV\
+       &select=host%3D_xmpps-client._tcp{{ env_suffix }}%26type%3DSRV\
+       &select=host%3D_5222._tcp.chat{{ env_suffix }}%26type%3DTLSA\
+        %26data%3D{{ dane_hash }}\
+       &select=host%3D_5223._tcp.chat{{ env_suffix }}%26type%3DTLSA\
+        %26data%3D{{ dane_hash }}"
       method: PUT
       body_format: json
-      headers:
-       Authorization: Token {{ desec_token }}
       body:
-       - subname: "{{ ds_subname }}"
-         type: DS
-         ttl: 3600
-         records: "{{ domain_keys }}"
+       records:
+        - host: "chat{{ env_suffix }}"
+          type: "A"
+          data: "{{ ipv4 }}"
+        - host: "chat{{ env_suffix }}"
+          type: "AAAA"
+          data: "{{ ipv6 }}"
+        - host: "conference{{ env_suffix }}"
+          type: "CNAME"
+          data: "chat{{ env_suffix }}.{{ domain }}."
+        - host: "upload{{ env_suffix }}"
+          type: "CNAME"
+          data: "chat{{ env_suffix }}.{{ domain }}."
+        - host: "_xmpp-client._tcp{{ env_suffix }}"
+          type: "SRV"
+          data: "chat{{ env_suffix }}.{{ domain }}."
+          srv_priority: 0
+          srv_weight: 5
+          srv_port: 5222
+        - host: "_xmpps-client._tcp{{ env_suffix }}"
+          type: "SRV"
+          data: "chat{{ env_suffix }}.{{ domain }}."
+          srv_priority: "0"
+          srv_weight: "5"
+          srv_port: "5223"
+        - host: "_5222._tcp.chat{{ env_suffix }}"
+          type: "TLSA"
+          data: "{{ dane_hash }}"
+          tlsa_usage: "3"
+          tlsa_selector: "1"
+          tlsa_matching: "1"
+        - host: "_5223._tcp.chat{{ env_suffix }}"
+          type: "TLSA"
+          data: "{{ dane_hash }}"
+          tlsa_usage: "3"
+          tlsa_selector: "1"
+          tlsa_matching: "1"
      delegate_to: localhost
-     when: domain_with_ds != ""
 
-   - name: Ensure records are registered in subdomain
+   - name: Ensure non-transport records exist
      ansible.builtin.uri:
-      url: "https://desec.io/api/v1/domains/{{ virtual_host }}/rrsets/"
+      url: "https://api.mythic-beasts.com/dns/v2/zones/{{ domain }}/records\
+       ?select=host%3D_xmpp-server._tcp{{ env_suffix }}%26type%3DSRV\
+       &select=host%3D_xmpps-server._tcp{{ env_suffix }}%26type%3DSRV\
+       &select=host%3D_xmpps-server._tcp.conference{{ env_suffix }}\
+        %26type%3DSRV\
+       &select=host%3D_xmpps-server._tcp.upload{{ env_suffix }}%26type%3DSRV\
+       &select=host%3D_5269._tcp.chat{{ env_suffix }}%26type%3DTLSA\
+        %26data%3D{{ dane_hash }}\
+       &select=host%3D_5270._tcp.chat{{ env_suffix }}%26type%3DTLSA\
+        %26data%3D{{ dane_hash }}"
       method: PUT
       body_format: json
-      headers:
-       Authorization: Token {{ desec_token }}
       body:
-       - subname: "conference"
-         type: CNAME
-         ttl: 3600
-         records: ["chat.{{ virtual_host }}."]
-       - subname: "upload"
-         type: CNAME
-         ttl: 3600
-         records: ["chat.{{ virtual_host }}."]
-       - subname: "_xmpp-client._tcp"
-         type: SRV
-         ttl: 3600
-         records: ["0 5 5222 chat.{{ virtual_host }}."]
-       - subname: "_xmpps-client._tcp"
-         type: SRV
-         ttl: 3600
-         records: ["0 5 5223 chat.{{ virtual_host }}."]
-       - subname: "_5222._tcp.chat"
-         type: TLSA
-         ttl: 3600
-         records: ["3 1 1 {{ dane_hash.stdout }}"]
-       - subname: "_5223._tcp.chat"
-         type: TLSA
-         ttl: 3600
-         records: ["3 1 1 {{ dane_hash.stdout }}"]
-     delegate_to: localhost
-
-   - name: Ensure s2s records are registered in subdomain
-     ansible.builtin.uri:
-      url: "https://desec.io/api/v1/domains/{{ virtual_host }}/rrsets/"
-      method: PUT
-      body_format: json
-      headers:
-       Authorization: Token {{ desec_token }}
-      body:
-       - subname: "_xmpp-server._tcp"
-         type: SRV
-         ttl: 3600
-         records: ["0 5 5269 chat.{{ virtual_host }}."]
-       - subname: "_xmpps-server._tcp"
-         type: SRV
-         ttl: 3600
-         records: ["0 5 5270 chat.{{ virtual_host }}."]
-       - subname: "_xmpps-server._tcp.upload"
-         type: SRV
-         ttl: 3600
-         records: ["0 5 5270 chat.{{ virtual_host }}."]
-       - subname: "_xmpps-server._tcp.conference"
-         type: SRV
-         ttl: 3600
-         records: ["0 5 5270 chat.{{ virtual_host }}."]
-       - subname: "_5269._tcp.chat"
-         type: TLSA
-         ttl: 3600
-         records: ["3 1 1 {{ dane_hash.stdout }}"]
-       - subname: "_5270._tcp.chat"
-         type: TLSA
-         ttl: 3600
-         records: ["3 1 1 {{ dane_hash.stdout }}"]
+       records:
+        - host: "_xmpp-server._tcp{{ env_suffix }}"
+          type: "SRV"
+          data: "chat{{ env_suffix }}.{{ domain }}."
+          srv_priority: "0"
+          srv_weight: "5"
+          srv_port: "5269"
+        - host: "_xmpps-server._tcp{{ env_suffix }}"
+          type: "SRV"
+          data: "chat{{ env_suffix }}.{{ domain }}."
+          srv_priority: "0"
+          srv_weight: "5"
+          srv_port: "5270"
+        - host: "_xmpps-server._tcp.conference{{ env_suffix }}"
+          type: "SRV"
+          data: "chat{{ env_suffix }}.{{ domain }}."
+          srv_priority: "0"
+          srv_weight: "5"
+          srv_port: "5270"
+        - host: "_xmpps-server._tcp.upload{{ env_suffix }}"
+          type: "SRV"
+          data: "chat{{ env_suffix }}.{{ domain }}."
+          srv_priority: "0"
+          srv_weight: "5"
+          srv_port: "5270"
+        - host: "_5269._tcp.chat{{ env_suffix }}"
+          type: "TLSA"
+          data: "{{ dane_hash }}"
+          tlsa_usage: "3"
+          tlsa_selector: "1"
+          tlsa_matching: "1"
+        - host: "_5270._tcp.chat{{ env_suffix }}"
+          type: "TLSA"
+          data: "{{ dane_hash }}"
+          tlsa_usage: "3"
+          tlsa_selector: "1"
+          tlsa_matching: "1"
      delegate_to: localhost
      when: not is_transport_server
 
@@ -526,31 +518,13 @@
 
   vars:
 
-   domain_keys: >-
-    {{- domain.json["keys"]
-    | map(attribute='ds')
-    | flatten
-    | select("search", " 13 2 ") -}}
-
-   parent_host: "{{ virtual_host.split('.')[1:] | join('.') }}"
-
-   # When the virtual host is on a subdomain, we want a DS record on the parent
-   # domain. This is so we can manage the subdomain as a separate domain on
-   # deSEC, and enforce some separation between nonprod and prod.
-   #
-   # If virtual_host is "continuous.nonprod.example.org", then domain_with_ds
-   # is "example.org".
-   domain_with_ds: >-
-    {{- parent_domain.json
-    | map(attribute='name')
-    | first
-    | default("") -}}
-
-   # To register the DS record, we need the subname to point to.
-   #
-   # If virtual_host is "continuous.nonprod.example.org", then ds_subname is
-   # "continuous.nonprod".
-   ds_subname: "{{ virtual_host | regex_replace('.' + domain_with_ds, '') }}"
+   env_prefix: >-
+    {{ "" if env == "" else env + "." }}
+
+   env_suffix: >-
+    {{ "" if env == "" else "." + env }}
+
+   virtual_host: "{{ env_prefix }}{{ domain }}"
 
    turn_server: "chat.{{ env_prefix }}{{ turn_domain }}"